For the last two days I've been struggling with a particularly irritating computer problem. I was called on Monday morning to say a Windows 2000 machine had a virus. An initial glance suggested spyware was killing processes: Explorer worked fine, but anything else - task manager included - was shut down immediately. This is pretty standard stuff for spyware, and I didn't anticipate much trouble. Sadly, I was wrong.
I deleted an obvious 'Windows Antispyware 2008' to no effect, and virus / anti-spyware scans revealed nothing. I shut down all the non-essential services I could find, and even ran a quick scan for rootkits, but couldn't find anything.
The problem was also there in Safe Mode, but not, I discovered by total chance, in Safe Mode with Networking. That was weird. The latter *should* just be the former + a network driver. This seemed consistent, then it happened once in SFw/N, and I started to think it might be hardware.
Admittedly it all felt a bit specific for that - you'd think hardware would kill everything, not just certain programs - but it could be to do with power draw. Plus, PSU problems have been known to have very weird symptoms. But a test PSU made no difference, the RAM checked out fine, and the (8-year-old) hard drive passed its fitness test. I thought I was onto something when I spotted the cpu fan slowing down and stopping in everything but SFw/N, but this was a red herring.
I eventually tracked it down by comparing the running processes in Safe Mode and Safe Mode w/ Networking (by repeatedly opening task manager and writing down names before it got nuked). The former, bizarrely, had an extra svchost.exe running. svchost.exe is a generic holder for background programs, and I needed more details. This is easy enough in XP, but in Windows 2000 you need the tlist support tool. The process turned out to be RpcSs: Remote Procedure Call. This was a new one on me, but it essentially controls background communications between programs. Disabling it solved the problem, but created a thousand more.
Turns out, RpcSS is vital. And here's where I got stuck. I just couldn't find any elegant ways to fix it. RpcSS is too low-level and important, and can't simply be reinstalled. Eventually I went with the old-school Magic Fix: the repair install. This just installs Windows over the top of itself, and while it's often equivalent to using a sledgehammer to crack a wotsit, it generally solves the problem. Not this time. Windows died, and wouldn't come back. In the end I was forced to reinstall from scratch, which is always the last resort.
That's really irritating. Usually, the hard part is diagnosing the problem. Once I know what's going wrong, it's just a matter of research and thinking it through. It's rare that I can know what's wrong but be unable to do anything about it. My best guess is the initial spyware somehow took out RpcSS. Windows 2000 is a bit old-and-busted now, and I'm hoping XP is better secured against such things.
I'm mainly blogging this for googlers facing similar issues. I couldn't find any references to problems manifesting in Safe Mode but not Safe Mode with Networking. Very odd one.
